Global Privacy & Security Compliance Law Blog

Category Archives: GDPR

Subscribe to GDPR RSS Feed

China Issues New Cybersecurity Law to Protect Children

China’s PCPPIC protects children’s personal information in much the same way as COPPA and the GDPR, but with a few differences. By Wei-Chun (Lex) Kuo, Weina (Grace) Gao, and Cheng-Ling Chen On August 22, 2019, the Cyberspace Administration of China (CAC) released a new data privacy regulation related to children, the Provisions on Cyber Protection … Continue Reading

How Are European Supervisory Authorities Exercising Cooperation and Consistency In Practice?

Recent action by the Hamburg authority may present implications for companies regulated by a lead data protection supervisory authority in Europe. By Fiona Maclean, Tim Wybitul, Joachim Grittmann, Wolf Böhm, Isabelle Brams, and Amy Smyth A German supervisory authority has initiated an investigation into Google’s speech recognition practices and language assistant technologies, which are integrated … Continue Reading

High GDPR Fines: German Data Protection Authority Joins the Club

Following in the footsteps of the CNIL and the ICO, the Berlin DPA will impose a multimillion-euro fine for breach of the GDPR. By Tim Wybitul, Joachim Grittmann, Ulrich Wuermeling, Wolf-Tassilo Böhm, and Isabelle Brams The Berlin Data Protection Authority (Berlin DPA) recently announced that it will issue a multimillion-euro fine for breach of the … Continue Reading

Navigating Data Processing Ethics for FinTech in Hong Kong

If adopted efficiently, the PCPD’s Ethical Accountability Framework should help organizations to demonstrate and enhance trust with individuals. By Kieran Donovan In October, 2018, Hong Kong’s Privacy Commissioner for Personal Data (PCPD) presented the findings of an inquiry into the ethics of data processing, commissioned by the PCPD with the help of the Information Accountability … Continue Reading

France’s CNIL Publishes New Guidance on Cookies

The guidance provides general requirements for obtaining valid consent and details conditions under which audience management cookies may be exempt. By Myria Saarinen and Camille Dorval On 4 July 2019, one day after the UK Information Commissioner’s Office (ICO) published new guidance on cookies, the French Data Protection Authority (CNIL) released its own new guidance … Continue Reading

UK Government Launches ‘Smart Data’ Proposals as Data-Portability Agenda Intensifies

The proposals would grant consumers increasing rights to require providers to share access to their data directly with chosen third parties. By Alain Traill and Gail Crawford The UK government has released a consultation advocating the introduction of sweeping new requirements for service providers to share both consumer data (upon request) and data regarding their own … Continue Reading

UK’s ICO Publishes New Guidance on Cookies

The guidance clarifies the interplay between the PECR and GDPR and provides practical steps to achieving cookie compliance. By Fiona M. Maclean, Laura Holden, and Grace E. Erskine The UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), published guidance on 3 July 2019 to provide greater clarity to organisations grappling with how the … Continue Reading

UK Regulator Imposes Two Substantial Fines for GDPR Data Breaches

The ICO issued notices of intent to fine British Airways and Marriott. What happened? By Gail Crawford, Fiona Maclean, Hayley Pizzey, and Calum Docherty On 8 July 2019, the UK Information Commissioner’s Office (ICO) announced a notice of intent to fine British Airways £183.39 million (about US$230 million) for violating the General Data Protection Regulation … Continue Reading

ICO Launches Consultation on Age-Appropriate Design: A Code of Practice for ISS

Online services have until 31 May to respond to 16 draft standards of age-appropriate design. By Fiona Maclean and Olga M. Phillips The ICO is required by s123 of the Data Protection Act 2018 to prepare a code of practice which contains guidance on standards of age-appropriate design of relevant information society services likely to … Continue Reading

What Companies Can Learn From CNIL’s Privacy Consent Cases on Targeted Marketing … in 60 Seconds

The closure of four cases involving targeted advertising provides lessons for navigating compliance standards under the GDPR. By Myria Saarinen and Elise Auvray Four French advertising technology companies that received a warning in 2018 from the French Data Protection Authority (CNIL) have all implemented the regulator’s required changes. The recent closure of the cases highlights … Continue Reading

EDPB Clarifies Use of Consent and Other Legal Grounds for Clinical Trials, but Challenges Remain

European regulators are expected to align their processes and guidance to accommodate the EDPB’s recommended approach to processing special categories of personal data. By Gail E. Crawford, Frances Stocks Allen, and Mihail Krepchev In January, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the General Data Protection Regulation (GDPR) and … Continue Reading

No Deal Brexit and Data Transfers: Companies Must Prepare Now

Companies should identify data flows, implement a data transfer solution, and update internal documents and privacy notices. By Fiona M. Maclean and Jane Bentham Since our blog on “What a “No Deal” Brexit Means for UK Data Privacy”, the European Data Protection Board (EDPB) has published two information notes on data transfers in the event … Continue Reading

4 Questions to Consider When Dealing With Children’s Data in the US

The FTC and many state attorneys general aggressively monitor apps, websites, and internet-connected products for COPPA compliance. By Jennifer C. Archie, Michael H. Rubin, and Alexander L. Stout In the United States, collecting data directly from children under 13 years of age is tightly regulated by a federal statute, which is aggressively monitored and enforced. … Continue Reading

DIFC Issues New Direct Marketing and Electronic Communications Guidelines

The DIFC guidelines provide practical guidance for DIFC-registered entities engaging in electronic direct marketing, including useful “dos” and “don’ts”. By Brian A. Meenagh, Fiona M. Maclean, and Laura Holden What Do DIFC-Registered Entities Need to Know? In January 2019, the Commissioner for Data Protection for the Dubai International Financial Centre (DIFC) issued new Direct Marketing … Continue Reading

European Commission Adopts Adequacy Decision for Japan

The European Commission adopted its adequacy decision for Japan on 23 January 2019, opening the doors for personal data to flow freely between the two major global economies. By Fiona M. Maclean and Laura Holden The Adequacy Decision Following two years of dialogue between the European Union (EU) and Japan, the European Commission (EC) adopted … Continue Reading

5 Ways for Companies to Limit GDPR Penalties

EU data protection authorities are imposing increased penalties under the GDPR, with more proceedings forecast for 2019. By Tim Wybitul, Prof. Dr. Thomas Grützner, Dr. Wolf-Tassilo Böhm, and Dr. Isabelle Brams The General Data Protection Regulation (GDPR) has been in effect since May 2018. Although the French data protection authority (CNIL) has imposed the highest … Continue Reading

French Data Protection Authority Issues €50 Million Fine in Landmark GDPR Case

The CNIL decision handed down on 21 January 2019, which cites violations of several GDPR obligations, provides important insights for groups wishing to benefit from the “one-stop-shop mechanism”. By Gail E. Crawford, Myria Saarinen, Camille Dorval, and Laura Holden The Complaints Not more than a week after the General Data Protection Regulation 2016/679 (GDPR) came … Continue Reading

What a ‘No Deal’ Brexit Means for UK Data Privacy

Understanding the practical implications of a “No Deal” Brexit (as compared to an exit under an approved Withdrawal Agreement) following last week’s vote against the current withdrawal proposal. By Gail E. Crawford and Jane Bentham “No Deal” Brexit Unless the UK can agree on a deal with the EU that meets the approval of the … Continue Reading

Clinical Trials Under the GDPR: What Should Sponsors Consider?

Sponsors outside the European Union conducting clinical trials in the EU should consider current guidelines and the Breyer case to understand whether GDPR requirements will apply to them. By Gail Crawford and Frances Stocks Allen Many sponsors of clinical trials believe that companies based outside the EU who sponsor clinical trials conducted in the EU … Continue Reading

EDPB Publishes Regulatory Guidance on Territorial Scope of GDPR

The Guidance provides helpful clarifications for service providers and their customers on both sides of the Atlantic. By Robert Blamires, Fiona M. Maclean, and Danielle van der Merwe Long-awaited guidance on the territorial scope of the General Data Protection Regulation (GDPR) has been published by the European Data Protection Board (EDPB) for public consultation (Guidance). … Continue Reading

German GDPR Fine Proceedings Conclude Favourably for Defending Company

Germany’s first GDPR fine offers lesson for companies planning a data breach policy. By Tim Wybitul, Wolf-Tassilo Böhm, and Isabelle Brams In November 2018, Germany’s first fine under the General Data Protection Regulation (GDPR) was imposed — and it was much lower than many expected. The favourable outcome of the proceedings for the defending company … Continue Reading
LexBlog